SD-Access… what the what is it? Day 2 at Cisco Live 2017

Hey everyone! I hope you’re having a great time this week during Cisco Live. If you’re not following on Twitter, you should @paulmc3!

SD-Access, so what’s up?

Software Defined Access (SD-Access) is Cisco’s latest innovation that has been in the work for the past few years to completely redefine the campus through SDN and other innovations. Think about your campus network architecture, do you have challenges with wireless mobility, overly complex spanning-tree, segmentation of traffic, and lack of visibility into the users/applications? These are paramount tenants of SD-Access.

How do we accomplish this?

DNA Center will the central brain for all the DNA products to come, but for now let’s focus on SD-Access. DNA center operates heirarchical with point solutions like ISE, APIC-EM, and Network Data Platform allowing the true single pain of glass. So what does the framework of SD-Access look like? Truthfully, look at this post from me on twitter as the slide is perfect: here.

So what does SD-Access run on?

SD-Access will run on? Not so simple, well it is… But let’s break it down by function:

Are you familiar with ACI? If so, these concepts won’t seem so foreign. Control plane is similar to APIC and partial Spine nodes, Edge Nodes are Leaf, and Border nodes are the same as dedicated Border leaf.

Along with the above, wireless is integrated into SD-Access via the following: 3504, 5508, 8540 WLCs, Wave2 APs (1800/2800/3800) and Wave 1 APs with some caveats (1700/2700/3700)

So why separate everything?

Short version, this is the core of SDN, no matter who the manufacturer or solution is. Separating control plane traffic from the forwarding plane is critical and has been for a while. Where as a lot of systems separate these on the same box, all facets of SDN are segmenting them physically across a multitude of devices which allows for great economy of scale and affords immense resiliency with redundancy built in all over the place.

What is under the hood, how will I operate this?

When looking under the hood, which was a great session name by the way, I was reminded of ACI in many aspects.

Anycast GW provides a single L3 Default Gateway for IP capable endpoints: Same as ACI, the gateway lives at every single edge

Stretched Subnets allow an IP subnet to be “stretched” via the overlay: Don’t need OTV to stretch that IP subnet!

Layer2 Overlays allows Non-IP hosts to connect Broadcast & Multicast: Don’t need large STP domains to stretch that Layer 2 (if you have to). Note: this isn’t an all or nothing, you can choose specific items to stretch.

Why should we care?

Taking all of the above concepts, you an start building policies on the network that dynamically identify endpoints and then apply appropriate policy. Think about uSeg EPGs within ACI. For example, your HVAC network connected systems shouldn’t be talking to the Accounting team, or vice versa, who might in legacy networks share the same IP subnet. This is the power of micro segmentation and bringing the ability to control your data access as granular on the campus as you can in the data center.

There is a whole lot more than we could go into detail on with SD-Access, but I’m going to end it here. I plan to do some deeper dives after Cisco Live. Day 3 is on the horizon here we go!

2 Comments

Hey David, thanks for the question! Prime Infrastructure will still be relevant, for now! I see PI becoming absorbed by the upcoming software kings like DNA Center over time. Definitely not an immediate thing.